Herbert Xu wrote:
On Mon, Nov 26, 2007 at 04:56:01PM +0100, Patrick McHardy wrote:
That should work as long as we keep the del_timer_sync to avoid
a use-after-free. It seems a bit fragile though.
Well we're relying on the del_timer_sync already to avoid the
ref count on the timer. Otherwise if the admin deletes the
SA while the timer is running it'll go up in smoke too.
If you look in the history you'll find that the same patch
that removed the ref count on the timer introduced the call
to del_timer_sync :)
OK, here's a patch to use xfrm_state_put in __xfrm_state_delete().
I've checked the other callers and it should be fine. lock ordering
between x->lock and xfrm_state_gc_lock also doesn't seem to be an
issue.
commit ba63b1baf5d8a63f3bb3097a7201de75c1b77e2d
Author: Patrick McHardy <[EMAIL PROTECTED]>
Date: Mon Nov 26 16:00:50 2007 +0100
[XFRM]: Fix leak of expired xfrm_states
The xfrm_timer calls __xfrm_state_delete, which drops the final reference
manually without triggering destruction of the state. Change it to use
xfrm_state_put to add the state to the gc list when we're dropping the
last reference. The timer function may still continue to use the state
safely since the final destruction does a del_timer_sync().
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 224b44e..cf43c49 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -552,7 +552,7 @@ int __xfrm_state_delete(struct xfrm_state *x)
* The xfrm_state_alloc call gives a reference, and that
* is what we are dropping here.
*/
- __xfrm_state_put(x);
+ xfrm_state_put(x);
err = 0;
}
